IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 01-029

"VBS/Mass-Mailing Worm, W32/Goner.A"
December 04, 2001

The National Infrastructure Protection Center (NIPC) is tracking a new mass-mailing worm called W32/Goner.A. This is a very fast-spreading mass-mailing worm that appears to take advantage of Visual Basic Scripting built into Microsoft Outlook and Outlook Express. Developing information indicates that this worm mails itself to all the addresses within the infected computer's Outlook or Outlook Express address book, sets itself as a server process so it does not show up in the task manager, and deletes the anti-virus definitions from many common anti-virus products.

Recommended Actions:

Update virus definitions and ensure they include the signature for Goner or request definition updates from your technical support personnel. Most major anti-virus companies have provided new definition files for this virus. If your definition file pre-dates December 04, 2001, it is not current. Older definitions do not alert on this worm.

For individual users:

Consider deleting unexpected e-mail file attachments without opening them and enabling browser and e-mail security settings. Exercise particular caution with respect to e-mails that contain attachments that end in .exe, .vbs, .bat, .scr, and .pif. These actions will help protect you against this worm and other mass-mailing viruses in the computer world today.

The anti-virus software industry is aware of Goner and is providing signature files to download to detect and remove it from infected hosts. Full descriptions and removal instructions are located at the following anti-virus web sites:

F-Secure Corp.

Network Associates Inc./McAfee.com

Symantec Corp.

Trend Micro Inc.
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_ GONE.A

As always, the NIPC encourages computer users to keep anti-virus and systems software current by frequently checking vendor web sites for updates, and routinely checking for alerts issued by the NIPC, CERT/CC, and similar organizations.

The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov.